If you think you have your computers and your network locked down pretty well, you might be humbled by running a vulnerability scanner on it. A vulnerability scanner is a program that probes computers on the network for potential weaknesses and perhaps even gives you instructions for fixing them.

Many excellent commercial scanners are available. Even Microsoft has a free tool, the Microsoft Baseline Security Analyzer (www.microsoft.com/technet/security/tools/mbsahome.mspx), which scans a single system or a range of systems across a network for common system misconfigurations and missing security updates. This tool is definitely worth running, but it doesn't replace scanning for known vulnerabilities.

Third-party scanning tools, such as AppDetective (Application Security Inc.,www.appsecinc.com), Retina (eEye Digital Security, www.eeye.com), and System Scanner (Internet Security Systems, www.iss.net), are able to scan for a large number of known security issues and are updated as new threats are discovered. You can specify a particular system to scan or give these products an address range; they'll find all the systems and scan them. AppDetective focuses on finding security holes and misconfigurations in database applications. For more details on vulnerability scanners, see "Network Security: Know Your Weaknesses" at go.pcmag.com/vulnerabilityscanners.

To test the free NeWT Security Scanner (Tenable Network Security Inc., www.tenablesecurity.com), I gave it my complete internal address range. The program found one computer I had forgotten about and discovered issues on some others that I wasn't aware of. I ran this scan from inside my network, so the vulnerabilities were from the perspective of a user already inside the network. But because the Servgate security appliance at the perimeter of my network would prevent many of those attacks, I decided to run the scanner from outside my network as well and tell it to scan my outside IP address.

So I ran the NeWT Security Scanner again from the outside. The results were exactly what I wanted and expected. A few ports were open, but only ones I had specifically opened, like port 25, port 80, and IKE.

Ports are the entry points through which computers on the Internet communicate, and many specific port numbers are reserved for particular applications. Port 25, the SMTP (Simple Mail Transfer Protocol) port, is used by mail servers on the Internet to send mail to one another. Port 80 is the default port used by World Wide Web servers. IKE (Internet Key Exchange) is a protocol for negotiation and authentication of IPsec-based virtual private networks.

The fact that my network is more accessible on the inside than the outside is not surprising. This reflects a deliberate decision: When it comes to protecting against intruders, I care about the outside more. But of course you do need to be conscious of security inside your network as well. If some malware were to get loose on the inside, or if a hacker were to gain entry to your network, vulnerabilities and weak protections on the inside of the network could allow damage to spread further than it should.

Vulnerability scanners can generate a flood of warnings, many of them merely informing you that you did something you plainly intended to do (like opening port 80 on your Web server). So don't assume the scanner knows more than you do, especially when it gives the warning a low priority. Consider the information you get from these programs as advice to help you secure your systems.

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service